Cybersecurity researchers are bringing attention to new botnet malware called HTTPBOT, which has been used primarily to select the gaming industry, as well as technology companies and educational institutions in China.
“Over the past few months, we have actively expanded our continued use of infected devices to launch external attacks,” NSFOCUS said in a report released this week. “We circumvent traditional rule-based detection mechanisms by employing highly simulated HTTP flood attacks and dynamic feature obfuscation techniques.”
First discovered in the wild in August 2024, HTTPBOT retrieves its name from launching a distributed denial of service attack using the HTTP protocol. This one written in Golang is like an anomaly given the targeting of Windows systems.
Windows-based Botnet Trojan is notable for its use in precisely targeted attacks aimed at high-value business interfaces such as gaming logins and payment systems.
“This attack with ‘scalpel-like’ accuracy poses a systematic threat to industries that rely on real-time interactions,” says Beijing Headquarters. “HTTPBOT marks a paradigm shift in DDOS attacks, moving from “indiscriminate traffic control” to “high-precision business strangulation.” ”
HTTPBOT is estimated to have issued more than 200 attack instructions since its launch in April 2025, and is designed to attack the Chinese gaming industry, technology companies, educational institutions and tourism portals.
When installed and run, malware hides the graphical user interface (GUI) by both users and security tools avoiding process process monitoring to increase the stealthiness of attacks. It also relies on incorrect Windows registry operations to ensure that it runs automatically when the system starts up.
Botnet malware is waiting for further instructions to perform an HTTP flood attack on a particular target by establishing contact with a command and control (C2) server and sending large numbers of HTTP requests. Supports a variety of attack modules –
Use a hidden Google Chrome instance to eject a browserAttack httpautoAttack that mimics legitimate traffic while mimics legitimate traffic. This accurately simulates httpfpdlattack, which uses a cookie-based approach to accurately simulate legitimate sessions. Establish the Websocket Connections Postcack using the “ws://” and “wss://” protocols.
“The DDOS BOTNET family tends to converge on Linux and IoT platforms,” NSFocus said. “However, the HTTPBOT BOTNET family is specifically targeted at the Windows platform.”
“By deep simulating the protocol layer and mimicking legal browser behavior, HTTPBOT bypasses defenses that rely on protocol integrity, and continually occupies server session resources via randomized URL paths and cookie replenishment mechanisms.
Source link
